CN110460442A - A kind of key encapsulation method based on lattice - Google Patents

A kind of key encapsulation method based on lattice Download PDF

Info

Publication number
CN110460442A
CN110460442A CN201910682004.5A CN201910682004A CN110460442A CN 110460442 A CN110460442 A CN 110460442A CN 201910682004 A CN201910682004 A CN 201910682004A CN 110460442 A CN110460442 A CN 110460442A
Authority
CN
China
Prior art keywords
ring
polynomial
key
integer
mod
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910682004.5A
Other languages
Chinese (zh)
Other versions
CN110460442B (en
Inventor
潘彦斌
李昊宇
谢天元
刘珍
杨照民
朱熠铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Academy of Mathematics and Systems Science of CAS
Original Assignee
Academy of Mathematics and Systems Science of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Academy of Mathematics and Systems Science of CAS filed Critical Academy of Mathematics and Systems Science of CAS
Publication of CN110460442A publication Critical patent/CN110460442A/en
Application granted granted Critical
Publication of CN110460442B publication Critical patent/CN110460442B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3026Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to polynomials generation, e.g. generation of irreducible polynomials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Abstract

The key encapsulation method based on lattice that the invention discloses a kind of.This method chooses special b=α first, then calculates corresponding a, manufactures further compression to classical LWE encrypted body, provides a kind of fast and efficiently key encapsulation method based on lattice.The residual class ring Z being directed toj, when j is even number, chooseAs ring ZjRepresentative element.When j is odd number, chooseAs ring ZjRepresentative element;The open parameter N of selection, q, α and small coefficient polynomial f, the selection mode of g, e should ensure thatWith the establishment of very maximum probability, wherein | | gr+ef | |In the absolute value of all coefficients of representative polynomial gr+ef it is maximum that.

Description

A kind of key encapsulation method based on lattice
Technical field
The invention belongs to field of information security technology, and in particular to a kind of key encapsulation method based on lattice.
Background technique
Public key encryption algorithm used at present, the construction of key encapsulation system are mainly based upon classical mathematical problem, example Such as now widely used RSA public-key cryptosystem or Elliptic Curve Public Key Cryptosystems, the difficult mathematics relied on is asked Topic --- the discrete logarithm problem on factoring problem or elliptic curve group.
Theoretically quantum algorithm can effectively solve the classical problems such as Integer Decomposition and discrete logarithm, so that existing public key is close Code system security facing greatly threaten, therefore can resist quantum computer attack password (rear quantum cryptography) by Extensive concern.According to the difference of bottom difficulty mathematical problem, rear quantum public key cryptography be can be mainly divided into: based on the close of lattice Code, the password based on coding, the password based on Hash and the password based on multivariable.
For the public-key cryptosystem based on lattice, Regev proposes the public encryption system based on LWE problem within 2005 Afterwards, more and more cryptologists conduct in-depth research it.Specifically, the public encryption system based on LWE is general It has the following structure, sender utilizes public key (a, the b=as+e of recipient1) message m is encrypted to obtain ciphertext (c1, c2), Wherein c1=ar+ea,c2=br+eb+ Encode (m), Encode (m) are the codings to message m, most commonlyFinally Recipient is using the private key s of oneself come to ciphertext decryption restoration message.In order to reduce ciphertext scale, it will usually to ciphertext c2It carries out Compression.The most common method is by c2The low-order bit of each coefficient give up, only retain 2 to 3 high order bits, this is just needed We select sufficiently large q to be compatible with this compression, to guarantee to decrypt accuracy.
In addition to the public encryption system based on lattice, key encapsulation mechanism and lattice cryptology based on lattice it is important in Hold.In key encapsulation mechanism, sender runs an encapsulation algorithm and generates a session key and corresponding ciphertext, The ciphertext is also referred to as session key encapsulation.Session key encapsulation is sent to recipient by subsequent sender.Recipient runs solution Encapsulation algorithm obtains session key identical with sender.It is converted, can be incited somebody to action by classical Fujisaki-Okamoto (FO) Key encapsulation mechanism with IND-CPA safety is converted to the key encapsulation mechanism with IND-CCA2 safety.
Summary of the invention
The key encapsulation method based on lattice that the purpose of the present invention is to provide a kind of.With classical LWE encryption system first with Machine chooses a, then calculates corresponding b difference, then the present invention calculates corresponding a, to warp by choosing special b=α first Allusion quotation LWE encrypted body manufactures further compression, provides a kind of fast and efficiently key encapsulation method based on lattice.
Residual class ring Z of the present inventionj, when j is even number, we are chosenAs ring Zj Representative element.When j is odd number, we are chosenAs ring ZjRepresentative element.
A kind of key encapsulation method based on lattice, step include:
Step 1.1: key generation method: recipient chooses positive integer N first, and the integer q greater than 1, positive integer α makeIt chooses n times Root of Integer Polynomial F (x), enables ring Rq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn it is more Xiang Shihuan, and by (N, q, α) and ring RqIt is disclosed as common parameter.Recipient selects ring RqIn small coefficient polynomial f, g, it is more Item formula f will be in ring R as private keyqIn reversible, reciprocal representation f-1.Finally calculate public key h=f-1(g+α)mod q。
Step 1.2: packaging method: sender chooses ring RqIn small coefficient polynomial e, number less than N integral coefficient it is more Formula r, wherein each component r of riIt is derived from ring Z「q/α」.Sender utilizes the public key h of recipient, calculates ciphertext c=hr+e mod Q simultaneously sends it to recipient.Last sender's session key K=H (h, r, c);Wherein H () indicates certain open letter Number.
Step 1.3: de-encapsulation method: recipient calculates d=fc mod using oneself private key f and the ciphertext c that receives q.For each component d of di∈Zq, from riValue range in find integer li, so that | (di-liα) mod q | it is minimum, enable ri =li;Wherein multinomialMultinomialdiRepresentative polynomial d is about monomial xiBe Number, riRepresentative polynomial r is about monomial xiCoefficient, the value range of integer i is from 0 to N-1.Finally using obtained h, r, C passes through function H (h, r, c) Lai Shengcheng session key K.
In step 1.1, small coefficient polynomial f, in g and step 1.2, the choosing method of small coefficient polynomial e can be with are as follows:
1) from binary polynomial setMiddle selection, wherein the coefficient value of binary polynomial is 0 or 1, and just Having y coefficient well is 1, and wherein positive integer y is preset fixed value.
2) from trinary polynomial setMiddle selection, wherein the coefficient value of trinary polynomial be 0,1 or- 1, and having y coefficient just is 1, a coefficient of y ' is -1, and wherein positive integer y and y ' is preset fixed value;
3) from f1f2+f3It is chosen in the multinomial set of form, wherein f1, f2, f3From B (y) or T (y ', y ") Middle selection, wherein positive integer y, y ', y " are preset fixed value.
In step 1.1, q and α can be enabled to meetIt is smaller, such as no more than 1, to guarantee decapsulation algorithm The probability of success.
Step 1.1, the mod q in step 1.2 and step 1.3 indicates polynomial all coefficients being placed in Z by mould qq In.
Step 1.1, polynomial multiplication operation all in step 1.2 and step 1.3 is all defined on ring RqOn.With it is general more Item formula multiplication is different, ring RqOn polynomial multiplication first, in accordance with ZqAfter polynomial multiplication in [x] calculates product, Z is recycledq Multinomial division algorithm in [x] finds out the product about the residue for removing formula F (x), and by residue as finant product.
To guarantee to decapsulate the probability of success of algorithm, the open parameter N chosen in step 1.1, q, α and small coefficient polynomial The selection mode of f, g, e, should ensure thatWith the establishment of very maximum probability, wherein | | gr+ef | |Representative polynomial gr In the absolute value of all coefficients of+ef it is maximum that.
It can use above-mentioned thought and directly construct public encryption system.Its step includes:
1) key generation method: method of the key generation process as described in step 1.1.The public key of recipient is h, and private key is f。
2) encryption method: method of the sender as described in step 1.2, first calculating c1=hr+e mod q and K=H (h, r,c1), c then is calculated to message m2=EK(m), wherein EkFor using K as certain encryption function of key, the ciphertext finally sent is (c1,c2)。
3) decryption method: recipient utilizes private key f and ciphertext c1, it is last extensive if step 1.3 the method restores K first Multiple message is m=DK(c2), wherein DKFor EKCorresponding decryption function.
If message m is ring RqIn multinomial, and each coefficient of m falls in Z「q/α」It is interior, message m can directly be done For the r in step 1.2, the encryption mechanism of similar NTRU version is constructed.Its step includes:
1) key generation method: method of recipient's key generation process as described in step 1.1.The public key of recipient is h, Private key is f.
2) be similar to the encryption method of NTRU version: sender chooses small coefficient polynomial e ∈ Rq, utilize m and recipient Public key h, calculate ciphertext c=hm+e mod q simultaneously send it to recipient.
3) be similar to the decryption method of NTRU version: recipient calculates d=fc using private key f and the ciphertext c received mod q.To each integer i, 0≤i≤N-1 enables di∈ZqIt is d about xiCoefficient, from miValue range in find integer li, So that | (di-liα) mod q | it is minimum, to restore m 'i=li;The message finally recovered is (m '0,m′1,…,m′N-1)。
It is converted using FO, the key encapsulation mechanism with IND-CCA2 safety can be constructed, step includes:
1) key generation method: method of the key generation process as described in step 1.1.The public key of recipient is h, and private key is f。
2) reach the packaging method of IND-CCA2 safety using FO transformation: it is more less than the integral coefficient of N that sender chooses number Formula r, wherein each component r of riIt is derived from ring Z「q/α」, calculateWherein G () is pseudo random number hair Raw device, D () indicate hash function, | | indicate concatenation, N-dimensional vectorAnd N-dimensional vector e is pseudorandom number generator defeated Enter D (h) | | output when r.Using the public key h of recipient, calculates ciphertext c=hr+e mod q and sends it to recipient, Sender ultimately generates session key
3) reach the de-encapsulation method of IND-CCA2 safety using FO transformation: recipient is restored using the method for step 1.3: Restore multinomial r ' first.It is asked by pseudorandom number generator and hash functionFinally judge Whether c and hr '+e ' mod q are equal, and session key is exported if equalOtherwise session key K is exported =D (z | | c);Wherein z is secret polynomial fixed in advance.
Compared with prior art, the positive effect of the present invention are as follows:
By selecting special b=α, the multinomial b in LWE classics system public key is become into open integer α, to drop Low public key scale, in addition, the low-order bit of br is all 0 for arbitrary r, therefore can directly be rejected, and not need Very big q guarantees the correctness of algorithm, to further reduced public key scale and ciphertext scale.Furthermore the present invention can be seen Work is the NTRU of high-order version, therefore it can be desirable to is had and NTRU in various aspects such as key scale, safety and application scenarios The ability that encryption system compares favourably.
Detailed description of the invention
Fig. 1 is key generation method flow chart;
Fig. 2 is packaging method flow chart;
Fig. 3 is de-encapsulation method flow chart;
Fig. 4 is encryption method flow chart;
Fig. 5 is decryption method flow chart;
Fig. 6 is the encryption method flow chart similar to NTRU version;
Fig. 7 is the decryption method flow chart similar to NTRU version;
Fig. 8 is the packaging method flow chart for reaching IND-CCA2 safety using FO transformation;
Fig. 9 is the de-encapsulation method flow chart for reaching IND-CCA2 safety using FO transformation.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiments of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Referring to Fig. 1, Fig. 2 and Fig. 3, the present embodiment provides a kind of public-key cryptographic keys packaging method based on lattice, step packet It includes:
Step 1.1: key generation method: recipient chooses odd prime N, even number q, positive integer firstChoose whole system Number multinomial F (x)=xN- 1, enable ring Rq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, and will (N, Q, α) and ring RqIt is disclosed as common parameter.Recipient uniformly chooses ring R from trinary polynomial set T (y, y-1)qIn it is small Coefficient polynomial f, g, until polynomial f is in ring RqIn it is reversible, it is inverse to be denoted as f using f as private key-1, and calculate public key h=f-1 (g+α)mod q。
Step 1.2: packaging method: sender is from number less than the independent choosing in ground uniformly random in the binary polynomial set of N Multinomial e and r are taken, wherein the coefficient value of binary polynomial is 0 or 1.Sender utilizes the public key h of recipient, calculates ciphertext c =hr+e mod q simultaneously sends it to recipient.Session key K=H (h, r, c) is finally calculated in sender;Wherein H () indicates certain disclosed hash function.
Step 1.3: de-encapsulation method: recipient calculates d=fc mod using oneself private key f and the ciphertext c that receives q.For each component d of di∈Zq, calculate integer li∈Z2, so that | (di-liα) mod q | it is minimum, enable ri=li;Wherein diTable Show multinomial d about xiCoefficient, riRepresentative polynomial r is about xiCoefficient, the value range of integer i is from 0 to N-1.Last benefit With obtained h, r, c, pass through function H (h, r, c) Lai Shengcheng session key K.
Step 1.1, the mod q in step 1.2 and step 1.3 indicates polynomial all coefficients being all placed in ZqIn.
Algorithm different editions are named with KEM-N, and wherein N is the number of multinomial F (x).The safety of association schemes and just True property provides following two groups of parameters.
Table 1: major parameter is chosen
N q T (y, y-1)
KEM-587 587 1024 T (196,195)
KEM-1117 1117 1024 T (374,373)
It can use above-mentioned thought and directly construct encryption mechanism.Referring to Fig. 1, Fig. 4 and Fig. 5, step include:
1) key generation method: method of the key generation process as described in step 1.1.The public key of recipient is h, and private key is f。
2) encryption method: sender chooses multinomial e ∈ Rq, the Root of Integer Polynomial r that number is less than N is chosen, wherein e Each coefficient ei, each coefficient r of riIt is independent to be derived from Z uniformly randomly2.It is h using the public key of message m and recipient, calculates close Literary c1=hr+e mod q;Enabling open function H () is H (a1,a2,a3)=a2, i.e. the output of H () is its second input, Then temporary key K=H (h, r, c1)=r;Calculate ciphertextWhereinIt indicates xor operation, i.e., key is utilized to m K=r takes the cipher mode of one-time pad to be encrypted;And by ciphertext (c1,c2) it is sent to recipient.
3 decryption methods: recipient utilizes private key f and ciphertext c1, calculate d=fc1mod q.For each component d of di∈ Zq, calculate integer li∈Z2, so that | (di-liα) mod q | it is minimum, enable ri=li;Wherein diRepresentative polynomial d is about xiBe Number, riRepresentative polynomial r is about xiCoefficient, the value range of i is from 0 to N-1.The message finally restored is
When message m is ring RqIn multinomial, and each coefficient of m falls in Z2When interior, can by message m directly as R in step 1.2 constructs the encryption mechanism of similar NTRU version.Referring to Fig. 1, Fig. 6 and Fig. 7, step include:
1) key generation method: method of the key generation process as described in step 1.1.The public key of recipient is h, and private key is f。
2) be similar to the encryption method of NTRU version: sender chooses small coefficient polynomial e ∈ Rq, wherein each system of e Number eiIt is independent to be derived from Z uniformly randomly2, using the public key h of message m and recipient, calculate ciphertext c=hm+e mod q and by its It is sent to recipient.
3 are similar to the decryption method of NTRU version: recipient utilizes private key f and ciphertext c, calculates d=fc mod q.For Each component d of di∈Zq, calculate integer li∈Z2, so that | (di-liα) mod q | it is minimum, enable m 'i=li;Wherein diIt indicates more Item formula d is about xiCoefficient, the value range of i is from 0 to N-1.The message finally restored is m '=(m '0,m′1,…,m′N-1)。
It converts to obtain the key encapsulation mechanism with IND-CCA2 safety using FO, referring to Fig. 1, Fig. 8 and Fig. 9, step Suddenly include:
1) key generation method: the public key of method recipient of the key generation process as described in step 1.1 is h, and private key is f。
2) reach the packaging method of IND-CCA2 safety using FO transformation: the uniformly random number of choosing of sender is less than N's Binary polynomial r is calculatedWherein G () is pseudorandom number generator, and D () indicates hash function, | | indicate concatenation, N-dimensional vectorIt is the output of pseudorandom number generator.Calculate ciphertext c=hr+e mod q and by its It is sent to recipient.Sender generates session key
3) reach the de-encapsulation method of IND-CCA2 safety using FO transformation: recipient utilizes the method for step 1.3 first Restore multinomial r '.It is asked by randomizer and hash functionFinally judge c and hr ' Whether+e ' mod q is equal, and session key is exported if equalOtherwise export session key K=D (z | |c);Wherein z is secret polynomial fixed in advance.
The above embodiments are merely illustrative of the technical solutions of the present invention rather than is limited, the ordinary skill of this field Personnel can be with modification or equivalent replacement of the technical solution of the present invention are made, without departing from the spirit and scope of the present invention, this The protection scope of invention should subject to the claims.

Claims (9)

1. a kind of key encapsulation method based on lattice, step include:
1) recipient chooses positive integer N, integer q and positive integer α greater than 1, so thatChoose n times Root of Integer Polynomial F (x), ring R is enabledq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, when q be even number when, chooseAs ring ZqRepresentative element, when q be odd number when, choose As Ring ZqRepresentative element;And by (N, q, α) and ring RqIt is disclosed as common parameter;Then ring R is chosenqIn small coefficient polynomial f, g;Wherein, polynomial f is as private key in ring RqIn be reversible;Calculate public key h=f-1(g+α)mod q;
2) sender chooses ring RqIn small coefficient polynomial e and number be less than N Root of Integer Polynomial r;Wherein, each of r points Measure riIt is derived from ring Z「q/α」;Then the public key h for utilizing recipient calculates ciphertext c=hr+e mod q and sends it to recipient, Sender's session key K=H (h, r, c);Wherein H () indicates open function;For ring Z「q/α」, when " q/ α " is even number When, it choosesAs ring Z「q/α」Representative element, when " q/ α " be odd number when, chooseAs ring Z「q/α」Representative element;
3) recipient calculates d=fc mod q using oneself private key f and the ciphertext c that receives;For each component d of di∈ Zq, from riValue range in find integer li, so that | (di-liα) mod q | it is minimum, enable ri=li;Wherein multinomialMultinomialdiRepresentative polynomial d is about monomial xiCoefficient, riRepresentative polynomial r About monomial xiCoefficient, the value range of i is from 0 to N-1;Finally using obtained h, r, c, come by function H (h, r, c) Generate session key K.
2. the method as described in claim 1, which is characterized in that small coefficient polynomial f, the choosing method of g, e are as follows: more from binary Item formula setMiddle selection, wherein the coefficient value of binary polynomial is 0 or 1, and having y coefficient is 1, wherein just Integer y is preset fixed value.
3. the method as described in claim 1, which is characterized in that small coefficient polynomial f, the choosing method of g, e are as follows: more from ternary Item formula setMiddle selection, wherein the coefficient value of trinary polynomial is 0,1 or -1, and having y coefficient is 1, y ' A coefficient is -1, and wherein positive integer y and y ' is preset fixed value.
4. the method as described in claim 1, which is characterized in that small coefficient polynomial f, the choosing method of g, e are as follows: from having f1f2+f3It is chosen in the multinomial set of form, wherein f1, f2, f3It is chosen from B (y) or in T (y ', y "), wherein positive integer Y, y ', y " are preset fixed value.
5. the method as described in claim 1, which is characterized in that q and α meets
6. method as claimed in claim 1 or 5, which is characterized in that
7. a kind of public key encryp, which is characterized in that including key production module, encrypting module and deciphering module;Wherein,
Key production module, for choosing positive integer N, integer q and positive integer α greater than 1, so thatChoose the whole system of n times Number multinomial F (x), enables ring Rq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, when q be even number when, It choosesAs ring ZqRepresentative element, when q be odd number when, choose As ring ZqRepresentative element;And by (N, q, α) and ring RqIt is disclosed as common parameter;Then ring R is chosenqIn small coefficient it is multinomial Formula f, g;Wherein, polynomial f is as private key in ring RqIn be reversible;Calculate public key h=f-1(g+α)mod q;
Encrypting module, for choosing ring RqOn small coefficient polynomial e and number be less than N Root of Integer Polynomial r;Wherein, r Each component riIt is derived from ring Z「q/α」;Then the public key h for utilizing recipient, calculates ciphertext c1=hr+e mod q, it is close to obtain session Key K=H (h, r, c1);Wherein H () indicates open function;For ring Z「q/α」, when " q/ α " is even number, chooseAs ring Z「q/α」Representative element, when " q/ α " be odd number when, chooseAs ring Z「q/α」Representative element;Then message m is encrypted to obtain using key K c2, the ciphertext finally obtained is (c1,c2);
Deciphering module, for utilizing private key f and ciphertext c1, calculate d=fc1mod q;For each component d of di∈Zq, from ri Value range in find integer li, so that | (di-liα) modq | it is minimum, enable ri=li;Wherein multinomial MultinomialdiRepresentative polynomial d is about monomial xiCoefficient, riRepresentative polynomial r is about monomial xi's Coefficient, the value range of i is from 0 to N-1;Finally utilize obtained h, r, c1, pass through function H (h, r, c1) Lai Huifu session key K finally recovers message m using session key K.
8. a kind of public key encryp, which is characterized in that including key production module, encrypting module and deciphering module;Wherein,
Key production module, for choosing positive integer N, integer q and positive integer α greater than 1, so thatChoose the whole system of n times Number multinomial F (x), enables ring Rq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, when q be even number when, It choosesAs ring ZqRepresentative element, when q be odd number when, choose As ring ZqRepresentative element;And by (N, q, α) and ring RqIt is disclosed as common parameter;Then ring R is chosenqIn small coefficient it is multinomial Formula f, g;Wherein, polynomial f is as private key in ring RqIn be reversible;And calculate public key h=f-1(g+α)mod q;
Encrypting module, for choosing ring RqOn small coefficient polynomial e, then for ring RqIn message m, wherein each of m point Amount all falls in Z「q/α」It is interior, ciphertext c=hm+e mod q is calculated using public key h;
Deciphering module, for calculating d=fc mod q using private key f and ciphertext c;For each component d of di∈Zq, from mi's Integer l is found in value rangei, so that | (di-liα) modq | it is minimum, enable m 'i=li;Wherein diRepresentative polynomial d is about xi's Coefficient, the value range of i is from 0 to N-1;The message finally restored is (m '0,m′1,…,m′N-1)。
9. a kind of key encapsulation method with IND-CCA2 safety, step include:
1) recipient chooses positive integer N, integer q and positive integer α greater than 1, so thatChoose n times Root of Integer Polynomial F (x), ring R is enabledq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, when q be even number when, chooseAs ring ZqRepresentative element, when q be odd number when, choose As Ring ZqRepresentative element;And by (N, q, α) and ring RqIt is disclosed as common parameter;Then ring R is chosenqIn small coefficient polynomial f, g;Wherein, polynomial f is as private key in polynomial ring RqIn be reversible;Calculate public key h=f-1(g+α)mod q;
2) sender chooses the Root of Integer Polynomial r that number is less than N, wherein each component r of riIt is derived from ring Z「q/α」, calculateWherein G () is pseudorandom number generator, and D () indicates hash function, | | indicate concatenation, N-dimensional vectorAnd N-dimensional vector e is pseudorandom number generator in input D (h) | | output when r;Then the public key of recipient is utilized H calculates ciphertext c=hr+e mod q, session key
3) recipient calculates d=fc mod q using oneself private key f and the ciphertext c that receives;For each component d of di∈ Zq, from riValue range in find integer li, so that | (di-liα) mod q | it is minimum, enable ri=li;Wherein multinomialMultinomialThen it is asked by pseudorandom number generator and hash functionFinally judge whether ciphertext c and hr+e ' mod q are equal, and session key is exported if equalOtherwise it exports session key K=D (z | | c);Wherein z is preset secret polynomial.
CN201910682004.5A 2019-07-01 2019-07-26 Grid-based key encapsulation method Active CN110460442B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910584693 2019-07-01
CN2019105846936 2019-07-01

Publications (2)

Publication Number Publication Date
CN110460442A true CN110460442A (en) 2019-11-15
CN110460442B CN110460442B (en) 2020-08-14

Family

ID=68483660

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910682004.5A Active CN110460442B (en) 2019-07-01 2019-07-26 Grid-based key encapsulation method

Country Status (1)

Country Link
CN (1) CN110460442B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511170A (en) * 2020-11-10 2021-03-16 南京航空航天大学 Parallel implementation method for polynomial compression in lattice code
CN113315628A (en) * 2021-04-09 2021-08-27 中国科学院信息工程研究所 Key packaging method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090010436A1 (en) * 2006-03-15 2009-01-08 Gemplus Decipherable searchable encryption method, system for such an encryption
CN102970138A (en) * 2011-08-29 2013-03-13 汤姆森特许公司 Signcryption method and device and corresponding signcryption verification method and device
CN107682140A (en) * 2017-11-20 2018-02-09 中国科学院重庆绿色智能技术研究院 The file encryption-decryption method of the anti-quantum attack for the low thermal expansion that multinomial point represents

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090010436A1 (en) * 2006-03-15 2009-01-08 Gemplus Decipherable searchable encryption method, system for such an encryption
CN102970138A (en) * 2011-08-29 2013-03-13 汤姆森特许公司 Signcryption method and device and corresponding signcryption verification method and device
CN107682140A (en) * 2017-11-20 2018-02-09 中国科学院重庆绿色智能技术研究院 The file encryption-decryption method of the anti-quantum attack for the low thermal expansion that multinomial point represents

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张永 等: "一种基于身份和密钥封装机制的加密方案", 《计算机工程》 *
赵宗渠 等: "标准模型下格上的密钥封装机制", 《计算机科学与探索》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511170A (en) * 2020-11-10 2021-03-16 南京航空航天大学 Parallel implementation method for polynomial compression in lattice code
CN112511170B (en) * 2020-11-10 2024-04-16 南京航空航天大学 Parallel realization method for polynomial compression in lattice password
CN113315628A (en) * 2021-04-09 2021-08-27 中国科学院信息工程研究所 Key packaging method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN110460442B (en) 2020-08-14

Similar Documents

Publication Publication Date Title
CN107135080B (en) SM9 decryption method and device
CN111106936A (en) SM 9-based attribute encryption method and system
CN102523093B (en) Encapsulation method and encapsulation system for certificate-based key with label
CN104488218A (en) Shared secret key generation device, encryption device, decryption device, shared secret key generation method, encryption method, decryption method, and program
CN110138543B (en) Blind signcryption method under lattice public key cryptosystem
CN104168114A (en) Distributed type (k, n) threshold certificate-based encrypting method and system
CN114124349B (en) Rapid decryption method for homomorphic encryption scheme
CN113285959A (en) Mail encryption method, decryption method and encryption and decryption system
CN105933101B (en) A kind of full homomorphic cryptography public key compression method based on the offset of parameter high order
CN106941406B (en) Identify-based encryption endorsement method, decryption sign test method and device thereof
CN110460442A (en) A kind of key encapsulation method based on lattice
CN110474772A (en) A kind of encryption method based on lattice
CN114095171A (en) Identity-based wearable proxy re-encryption method
CN114362912A (en) Identification password generation method based on distributed key center, electronic device and medium
CN108270565A (en) A kind of data mixing encryption method
CN113315628B (en) Key packaging method, device, equipment and storage medium
CN112907247B (en) Block chain authorization calculation control method
Aganya et al. Symmetric fully homomorphic encryption scheme with polynomials operations
Nalwaya et al. A cryptographic approach based on integrating running key in feedback mode of elgamal system
CN113852465A (en) SM 9-based hierarchical encryption method
Hussein et al. An enhanced ElGamal cryptosystem for image encryption and decryption
Jasra et al. Mapping images over elliptic curve for encryption
CN112668042A (en) File encryption method
CN111865578A (en) SM 2-based multi-receiver public key encryption method
Moldovyan et al. Randomized pseudo-probabilistic encryption algorithms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant